Uber Settles Data Breach Investigation for $148 Million

Image

An Uber logo on a car in Times Square. Uber’s decision to withhold the announcement of a data breach in 2016 “was a blatant violation of the public’s trust,” said Xavier Becerra, California’s attorney general.CreditCreditMike Segar/Reuters

SAN FRANCISCO — Uber will pay $148 million to settle a nationwide investigation into a 2016 data breach, in which a hacker managed to gain access to information belonging to 57 million riders and drivers. The breach included names and driver’s license numbers for 600,000 drivers.

The investigation, led by state attorneys general across the United States, focused on whether Uber had violated data breach notification laws by not informing consumers that their information had been compromised.

Rather than disclosing the breach when it occurred, Uber paid the hacker $100,000 through its bug bounty program, which financially rewards hackers for discovering and disclosing software flaws. The ride-hailing company persuaded him to delete the data and stay quiet about it with a nondisclosure agreement.

The incident became public a year later when Uber’s chief executive, Dara Khosrowshahi, announced it as a “failure” and fired the two employees who had signed off on the payment.

“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” Xavier Becerra, California’s attorney general, said in a statement. “The company failed to safeguard user data and notify authorities when it was exposed.”

Tony West, Uber’s chief legal officer, said the settlement was part of a larger effort inside Uber to remake the company’s image. He said the company had recently hired a chief privacy officer and a chief trust and security officer.

“We know that earning the trust of our customers and the regulators we work with globally is no easy feat. After all, trust is hard to gain and easy to lose,” Mr. West said.

He added that the breach was disclosed to the public during his first day on the job. “Rather than settling into my new work space and walking the floor to meet my new colleagues, I spent the day calling various state and federal regulators,” Mr. West said.

The Federal Trade Commission settled its investigation into the data breach in April. The trade commission now requires Uber to submit to regular privacy audits as part of a 2017 settlement, which was revised this year to address the most recent breach.

The $148 million settlement announced Wednesday will be divided among all 50 states and the District of Columbia.

"Companies in California and throughout the nation are entrusted with customers’ valuable private information,” Mr. Becerra said. “This settlement broadcasts to all of them that we will hold them accountable to protect that data.”